How to configure Multiple LDAP and Multiple Subtrees

How to configure Multiple LDAP and Multiple Subtrees
in one LDAP for Lotus Connections V2
This document describes the steps to configure your WebSphere Application Servers
(WAS) with multiple LDAP servers and multiple subtrees in one LDAP source for
production environments of Lotus Connections 2.
Prerequisites:
1. LDAP servers store user's information, and users must only exist in one LDAP
server (not multiple).
2. Lotus Connections can support environments where each WebSphere
Application Server node is configured to reference its dedicated LDAP source.
3. Distinguished names (DN) of a base entry must be unique (the subtree name is
unique) among the multiple LDAP servers.
LDAP servers supported by Lotus Connections 2.0:
• IBM Tivoli Directory Server 6, 6.1
• Microsoft Windows Server 2003 Active Directory
• Microsoft Active Directory Application Mode
• IBM Lotus Domino 7, 8
• Novell eDirectory 8.8
• Sun ONE iPlanet 5, 6
Configuring multiple LDAP in WAS server console:
1. Access the administration console: http://was.server.com:9060/ibm/console,
and login as administrator.
2. Click "Security -> Secure administration, application, and infrastructure",
under "User account repository", select "Federated repositories" in "Available
realm definitions" field, then click "Configure" button:
3. Input the "Realm name" and "Primary administrative user name" or you can
use the default values.
4. Click "Add Base entry to Realm..." which in the table is named "Repositories
in the realm", to add a base entry from a LDAP server:
5. Click the "Add Repository..." button to add a new repository.
which have been added are listed in the "Repository" field:
All repositories
6. Input all required fields like:
Repository identifier
Directory type
Primary host name
Port
Bind distinguished name
Bind password (for security authentication)
7. Specify a property as "Login properties". The login property can be the uid,
email, or other properties which have been defined in LDAP server, if the
property is not defined in LDAP, you should define a mapping in WAS wim
configuration. (see the Appendix section of this document which utilizes
ADAM as an example).
8. Click the "Apply" or "OK" buttons, and save the configuration changes. The
repository name will list in "Repository" field.
9. Select the repository just added, and input your distinguished name of a base
entry which exists in your LDAP server into "Distinguished name of a base
entry that uniquely identifies this set of entries in the realm" field, this DN will
be used to identify and search users in your LDAP server:
10. Click the "Apply" or "OK" buttons, and save the configuration changes.
Then you will see the new repository has been added and shown in the table
"Repository in the realm":
11. Repeat steps 1 to 6 to add more LDAP servers.
12. Restart the application server for these changes to take effect (if you have
setup a cluster environment, you should first restart Deployment Manager,
synchronize all nodes in your cell, and restart all clusters).
Congratulations! You have completed the configuration of WebSphere Application
Server with multiple LDAP repositories. Users in all repositories can now log in to
Lotus Connections-
Details on how to configure multiple LDAP subtrees in the WAS console:
Just see step 5 above: you can utilize a different distinguished name for the base entry,
and you can add more than one DN of base entry, then WAS will find user follow the
base entry you provided.
The product functions just like a tree: one tree always have many branches, following
different branch will lead to a different set of endpoints (users).
Appendix:
In ADAM, the login property is configured as uid, but there is no uid property in the
ADAM LDAP source, therefore custom mapping is needed between WAS and the
LDAP source.
The detailed steps are the following.
Edit wimconfig.xml file and add this section:
<config:attributes name="samAccountName" propertyName="uid">
<config:entityTypes>PersonAccount</config:entityTypes>
</config:attributes>
Follow tag <config:attributeConfiguration>